Merge branch 'fix/m11-cosign-v3-sign-blob-bundle': M-11 cosign v3 sign-blob migration

Cosign v3.0 (shipped by default with sigstore/cosign-installer@cad07c2e,
release v3.0.5) removed --output-signature and --output-certificate from
the sign-blob subcommand. The replacement is a single --bundle flag that
emits a unified Sigstore bundle (.sigstore.json) containing the
signature, certificate chain, and Rekor inclusion proof in one file.

This change migrates both sign-blob invocations in .github/workflows/
release.yml (per-binary matrix signing and aggregate checksums.txt
signing), updates the artefact upload paths, the artefact aggregation
case filter, the GitHub Release asset list, and the release-notes body
verify-blob example. The README cosign verification snippet and sidecar
description are also updated to the --bundle / .sigstore.json shape.

No cosign version pinning. No legacy fallback. OCI image signing
(cosign sign on image digest) is unchanged — only sign-blob flags
changed in v3.0. See M-11 in certctl-audit-report.md.

Verification gates:
- YAML parse: OK
- go vet ./...: exit 0
- go build ./...: exit 0
- grep 'cosign sign-blob' release.yml: 2 (expected: 2)
- grep '.sigstore.json' release.yml: 9 (expected: >=5)
- grep '.sig/.pem' release.yml non-comment: 0 (expected: 0)
- README legacy cosign refs: 0 (expected: 0)
- docs/ legacy cosign refs: 0 (expected: 0)

Coverage: unchanged (CI workflow edit + README — zero Go code touched).

.github/workflows/release.yml

@@ -79,10 +79,14 @@ jobs:
           OUTPUT_NAME: ${{ steps.build.outputs.output_name }}
         run: |
           set -euo pipefail
+          # Cosign v3.0 (shipped by cosign-installer@v4.1.1 default
+          # cosign-release=v3.0.5) removed --output-signature/--output-certificate
+          # on sign-blob. The replacement is --bundle, which emits a unified
+          # Sigstore bundle (signature + cert chain + Rekor inclusion proof) as
+          # a single .sigstore.json artefact. M-11.
           cosign sign-blob \
             --yes \
-            --output-signature "dist/${OUTPUT_NAME}.sig" \
+            --bundle "dist/${OUTPUT_NAME}.sigstore.json" \
-            --output-certificate "dist/${OUTPUT_NAME}.pem" \
             "dist/${OUTPUT_NAME}"
 
       - name: Compute SHA-256 sidecar
@@ -100,8 +104,7 @@ jobs:
           name: binary-${{ steps.build.outputs.output_name }}
           path: |
             dist/${{ steps.build.outputs.output_name }}
-            dist/${{ steps.build.outputs.output_name }}.sig
+            dist/${{ steps.build.outputs.output_name }}.sigstore.json
-            dist/${{ steps.build.outputs.output_name }}.pem
             dist/${{ steps.build.outputs.output_name }}.sbom.spdx.json
             dist/${{ steps.build.outputs.output_name }}.sha256
           if-no-files-found: error
@@ -138,7 +141,7 @@ jobs:
           : > checksums.txt
           for f in certctl-*; do
             case "$f" in
-              *.sig|*.pem|*.sbom.spdx.json|*.sha256|checksums.txt)
+              *.sigstore.json|*.sbom.spdx.json|*.sha256|checksums.txt)
                 continue ;;
             esac
             sha256sum "$f" >> checksums.txt
@@ -156,10 +159,11 @@ jobs:
         run: |
           set -euo pipefail
           cd artifacts
+          # Cosign v3.0 --bundle replaces the removed v2 flag pair
+          # --output-signature / --output-certificate. See M-11.
           cosign sign-blob \
             --yes \
-            --output-signature checksums.txt.sig \
+            --bundle checksums.txt.sigstore.json \
-            --output-certificate checksums.txt.pem \
             checksums.txt
 
       - name: Upload artefacts to GitHub Release
@@ -169,8 +173,7 @@ jobs:
           files: |
             artifacts/certctl-*
             artifacts/checksums.txt
-            artifacts/checksums.txt.sig
+            artifacts/checksums.txt.sigstore.json
-            artifacts/checksums.txt.pem
 
   # ----------------------------------------------------------------------
   # provenance-binaries (M-3): SLSA Level 3 provenance for every binary.
@@ -402,15 +405,15 @@ jobs:
 
             ```bash
             cosign verify-blob \
-              --certificate checksums.txt.pem \
+              --bundle checksums.txt.sigstore.json \
-              --signature checksums.txt.sig \
               --certificate-identity-regexp '^https://github\.com/shankar0123/certctl/\.github/workflows/release\.yml@refs/tags/' \
               --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
               checksums.txt
             ```
 
             Replace `checksums.txt` with any individual binary name to verify that
-            artefact directly (each binary ships with its own `.sig` + `.pem` sidecar).
+            artefact directly (each binary ships with its own `.sigstore.json`
+            bundle, e.g. `cosign verify-blob --bundle certctl-agent-linux-amd64.sigstore.json …`).
 
             **3. Verify SLSA Level 3 provenance (binaries):**
 

README.md

@@ -260,15 +260,17 @@ sha256sum -c checksums.txt
 
 ```bash
 cosign verify-blob \
-  --certificate checksums.txt.pem \
+  --bundle checksums.txt.sigstore.json \
-  --signature checksums.txt.sig \
   --certificate-identity-regexp '^https://github\.com/shankar0123/certctl/\.github/workflows/release\.yml@refs/tags/' \
   --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
   checksums.txt
 ```
 
-Every individual binary has its own `.sig` + `.pem` sidecar; swap
+Every individual binary ships with its own `.sigstore.json` bundle
-`checksums.txt` for any binary name to verify it directly.
+(unified Sigstore bundle containing signature, certificate chain, and
+Rekor inclusion proof). Swap `checksums.txt` for any binary name and
+point `--bundle` at the matching `<binary>.sigstore.json` to verify it
+directly.
 
 **3. Verify SLSA Level 3 provenance on a binary:**